Veterans Affairs Department officials are already warning Congress the massive overhaul of the agency’s electronic health record system could cost more—and take more time—than they originally thought.

Less than nine months into a 10-year, $10 billion effort to adopt the same record management platform as the Pentagon, the department’s second-in-command said officials won’t know the total budget for the project until they finish the first round of field tests. The platform, built by Cerner Corp., is scheduled to go live at three sites in the Pacific Northwest in March 2020.

“The rollout of these [initial] sites in Washington state … [is] going to give us a picture of how much this is actually going to cost,” James Byrne, the department’s acting deputy secretary, told a Senate Appropriations subpanel on Tuesday. “We’re guessing right now on the amount. I think it’s an educated guess, but after the [initial rollouts] I believe we’re going to have a much clearer picture.”

This uncertainty didn’t sit well with Sen. Steve Daines, R-Mont., who called such sweeping, time-consuming IT overhauls “a recipe for disaster.” The exchange was one of several that put lawmakers’ concerns about the modernization effort on full display.

The hearing comes less than a week after the Defense Department disclosed that its version of the Cerner platform, MHS Genesis, “is not survivable in a cyber-contested environment.” According to an unclassified report, Pentagon hackers were able to launch three successful cyberattacks against the system between November 2017 and June 2018.

But when Sen. Susan Collins, R-Maine, asked how Veterans Affairs was bolstering its platform’s digital defenses, Byrne questioned whether the Pentagon report should even be cause for concern.

“The red team at DOD is the best of the best, and so I don’t know that them penetrating the environment necessarily means it’s not a robust defense,” he said. However, the department’s Operational Testing and Evaluation office recently concluded the groups that perform such cyber testing are overworked, overscheduled and may not have the capabilities to represent nation-state threats from China or Russia.

After Collins retorted that many foreign actors “are also very, very capable in this area,” John Short, the chief technology officer for the agency’s EHR implementation office, said Cerner is constantly working to address vulnerabilities in the system.

Officials told lawmakers they have yet to finalize a third-party governance body to oversee the implementation effort at the Defense and Veterans Affairs departments, which the Government Accountability Office said is critical to the project’s success. Currently, the Interagency Program Office is charged with overseeing the joint implementation, but even the office’s director admitted it didn’t have enough resources to fulfill its responsibilities.

“This process will be impossible without an entity at the top of the food chain to make final decisions,” Sen. Jon Tester, D-Mont., said. “In the meantime, important decisions are being made without formal interagency structure, and more importantly many decisions are being kicked down the road because there’s nobody in place to make them.”

While the IPO has been successful as an intermediary, Byrne said, the two agencies have assembled a task force to figure out the best way to ensure accountability. The group is scheduled to disclose its findings by the end of the month.